English
  • Russian
  • Korean
  • Support
Positive Technologies
English
  • Russian
  • Korean
  • Solutions
    Unified Application Security

    Your all-in-one AppSec solution

    Vulnerability Management

    Stop being an easy target

    ERP Security

    Take control of your ERP security

    Telecommunications

    Secure your core telecom network

    Financial Services

    Can your security keep up with you?

    Security Compliance

    Turn policies into protection

    ICS/SCADA

    Critical infrastructure on the frontline

    Utilities

    Industrial-grade cybersecurity

    View all →
  • Products
    MaxPatrol

    Vulnerability & compliance management.

    PT Application Inspector

    Source code analysis tool.

    PT ISIM freeView Sensor

    World's first free ICS cybersecurity monitoring solution.

    MaxPatrol SIEM

    Knows your infrastructure, delivers pinpoint detection.

    PT ISIM

    Cyberthreat detection and incident response in ICS.

    PT MultiScanner

    Multilayered protection against malware attacks.

    PT Application Firewall

    Intelligent protection of business applications.

    PT Telecom Attack Discovery

    Signaling threat detection and response.

    View all →
  • Services
    ICS/SCADA Security Assessment

    Full Range of ICS-specific Security Services

    Web Application Security Services

    Black Box and White Box Analysis

    SSDL Implementation

    Secure Application Development at Your Organization

    Advanced Border Control

    Upgrade Your View of Perimeter Security

    Telecom Security Assessment

    Proactive security assessment of telecom core network

    Mobile Application Security Services

    Security Analysis and Compliance Audit

    Penetration Testing

    A Comprehensive Approach

    ATM Security Assessments

    Uncover Your Weaknesses

    Custom Application Security Services

    Independent Expert Analysis of Your Source Code

    Forensic Investigation Services

    Prevent Future Incidents

    View all →
  • Analytics
    Threatscape
    Research Blog
    Knowledge base
    View all →
  • Partners
    Authorized Partners
    Distributors
    Technology Partners
    View all →
  • About
    Clients
    Press
    News
    Events
    Vacancies
    Contacts
    Documents and Materials
    View all →
Menu
  • Home
  • Analytics
  • Web application attack trends

Web application attack trends

Published on February 8, 2017
  • Web applications

Contents

  • Introduction
  • Methodology
  • Government, e-commerce, and finance in the spotlight
  • Automated vs. manual attacks
  • Attack types
  • Conclusions

Introduction

Vulnerabilities in the Internet-connected software run by large organizations create a large security risk. A single successful exploit — which can be as short as a few characters typed in the wrong place — can abuse these flaws and set a breach in motion. Exploits can be leveraged to access corporate databases and other sensitive information, causing financial and reputational damage to the target, system hijacking, theft of intellectual property, and downtime. Visitors to the websites of these companies can also be put in danger, since successful attacks can result in theft of credentials and malware infection of user computers.

The aim of our web application attack research was two-fold: to determine which attacks are most commonly used by hackers in the wild, and to find out which industries are being targeted and how. With this data, organizations can be more aware of digital threats and protect themselves accordingly.

Summary of findings:

  • Organizations across the board are being targeted with a high volume of attacks on their web applications.
  • Governmental organizations and e-commerce companies showed themselves to be particular targets. These two sectors are also subjected to the highest level of manual (non-automated) compromise attempts.
  • Attack types are tailored to specific sectors. For example, e-commerce sees a mix of attempts designed to cause downtime and access internal files. By contrast, 65% of all attacks in the finance sector attempt to steal the login information of website visitors.
  • Sectors seeing the lowest attack volumes, conversely, see the highest volume of automated web attacks from hackers, who use specialized software to search for vulnerabilities automatically.
  • Easy-to-execute methods such as SQL Injection and OS Commanding are the most commonly used methods across all sectors. Rarer attacks include Arbitrary File Execution and Cross-Site Request Forgery.

Methodology

The source data for our research was collected from a cross-section of deployments of PT Application Firewall (PT AF) throughout 2016. As a web application firewall (WAF), and unlike common firewalls and intrusion prevention systems, PT AF detects and prevents known attacks at the level of application and business logic. PT AF also protects against zero-day exploits and user attacks, and analyzes and correlates events to uncover attack chains using a number of self-learning and behavioral analysis techniques such as machine learning. The specific organizations have been anonymized here, but include governmental, educational, financial, transportation, industrial, and IT organizations in multiple countries. All examples given in this research were manually verified to exclude false positives and proved reliable. An attack is defined as a single malicious request.

Government, e-commerce, and finance in the spotlight

While attackers’ motivations are sometimes unclear and attribution is difficult, we see trends in the types of organizations that are targeted.

Out of the data analyzed, Government was by far the most under threat, logging nearly 70x more attacks per day than industrial systems, the sector with the least attacks. For governmental institutions, more than 70% of attempts were Path Traversal attacks. This relatively simple attack allows hackers to access vulnerable file system directories to potentially compromise files stored on servers.

E-commerce sites, characterized by an abundance of web applications, saw the second-highest average number of attacks in the sample day analyzed. This sector handles large volumes of sensitive consumer data, such as personal and financial information. The most popular attack vector in this sector, too, is Path Traversal, which potentially gives attackers access to file system directories. Denial of Service (DoS) attacks also constitute a significant portion of attacks (14%), a method that can render web applications inaccessible in a sector in which uptime is critical.

The finance sector rounded off the top three in terms of daily attack volumes, with the sample set registering an average of around 1,400 attacks per day. In this sector, about 65% of attacks consisted of Cross-Site Scripting (XSS) and Cross-Suite Request Forgery (CSRF) directed at system users. The widespread nature of such attacks in the financial industry underlines a special hazard for this sector, since XSS and CSRF can be used to steal cookie values and user credentials. Attacks on the finance sector appeared to be more complex overall than attacks in other sectors, suggesting a higher level of technical competence.

The transportation and IT companies analyzed had to withstand on average about 680 attacks per day.

Number of attacks per day by sector.

Fugure 1. Number of attacks per day by sector.
Fugure 1. Number of attacks per day by sector.

Automated vs. manual attacks

Interesting trends can be seen in the breakdown of web application attacks as either automated (generated by vulnerability scanning software) or stand-alone manual (human-originated) attacks. The latter indicates one-off attempts to exploit specific vulnerabilities, as opposed to the higher-volume automated approach of scanning for vulnerabilities in bulk.

Interestingly, the most targeted sectors (in terms of attack volume) also saw the highest number of manual attacks. Nearly all (99%) of attacks against e-commerce sites did not use automated software at all, potentially indicating a diverse range of isolated actors undertaking low-level attempts to exploit web application vulnerabilities. A similarly high percentage of compromise attempts on governmental web applications also had manual origins.

By contrast, most attacks across all remaining industries are performed with the help of specialized vulnerability detection software. Automated scanning includes attempts to perform various attacks such as SQL Injection and Path Traversal using security analysis tools. Attackers can use this analysis to exploit vulnerabilities and design an attack vector to gain access to sensitive information, local networks, and critical systems, or attack users.

Figure 2. Automated scanning vs. manual attacks
Figure 2. Automated scanning vs. manual attacks

The figure below shows an example of automated scanning that has been detected using sqlmap. PT AF found unwanted content in a User-Agent HTTP header and a request containing an SQL Injection attempt.

Figure 3. Example of detection of automated scanning
Figure 3. Example of detection of automated scanning

Attack types

The most common attacks detected were SQL Injection and OS Commanding, which allows for a deeper level of compromise. Such attempts were recorded on over 80% of systems. The third-most common attack type was Path Traversal. Taken together, the prevalence of these more “primitive” techniques shows that hackers tend to focus on simple attacks with low barriers to entry.

Typically, the less common an attack is, the more difficult it is to implement, or the more unlikely attackers are to find the other conditions necessary for accomplishing their goal. One example of a less common attack is attempts to compromise the file upload function in a web application. Most Arbitrary File Upload attacks exploit critical vulnerabilities and may completely compromise a web application and server, enabling an attacker to gain access to local network resources.

Our list of most popular attacks does not include the attacks performed by automated web application vulnerability scanners such as Acunetix or sqlmap.

Figure 4. Most popular attacks (% of web applications attacked)
Figure 4. Most popular attacks (% of web applications attacked)

Conclusions

The results make clear that hackers target certain sectors more than others: specifically, those bringing the most return in terms of sensitive information or financial reward. This is not a new trend in the cybersecurity space, but unfortunately one that will continue to drive malicious activity. Attackers are beginning to show a higher level of technical competence and capabilities in their attempts to steal funds and sensitive data in web application attacks. In order to accurately construct attack chains and perform incident forensics in such a fluid environment, including advanced persistent threats, it is important to implement technological solutions able to successfully correlate a vast range of variables and take appropriate countermeasures with minimal human intervention. For more information, visit PT AF page.

Download PDF
Related articles
  • December 13, 2017 Web Application Attack Statistics: Q3 2017
  • September 14, 2017 Web Application Attack Statistics: Q2 2017
  • April 16, 2018 Automated code analysis: web application vulnerabilities in 2017
Share:
Link copied
Related articles
July 12, 2017

Web application attack statistics: Q1 2017

June 26, 2019

Attacks on web applications: 2018 in review

September 14, 2017

Web Application Attack Statistics: Q2 2017

All articles
Solutions
  • Unified Application Security
  • Telecommunications
  • ICS/SCADA
  • Vulnerability Management
  • Financial Services
  • Utilities
  • ERP Security
  • Security Compliance
Products
  • MaxPatrol
  • MaxPatrol SIEM
  • PT Application Firewall
  • PT Application Inspector
  • PT ISIM
  • PT Telecom Attack Discovery
  • PT ISIM freeView Sensor
  • PT MultiScanner
Services
  • ICS/SCADA Security Assessment
  • Telecom Security Assessment
  • ATM Security Assessments
  • Web Application Security Services
  • Mobile Application Security Services
  • Custom Application Security Services
  • SSDL Implementation
  • Penetration Testing
  • Forensic Investigation Services
  • Advanced Border Control
Analytics
  • Threatscape
  • Research Blog
  • Knowledge base
Partners
  • Authorized Partners
  • Distributors
  • Technology Partners
About
  • Clients
  • Press
  • News
  • Events
  • Vacancies
  • Contacts
  • Documents and Materials
Positive Technologies
Copyright © 2002-2019 Positive Technologies
Find us:
  • Terms of Use
  • Privacy policy
Copyright © 2002-2019 Positive Technologies
  • Terms of Use
  • Privacy policy

We use cookies to enhance your experience on our website. By clicking Close you consent to our use of cookies. Find out more.

Close